Most of us really don’t get excited by the prospect of any kind of audit. The procedures, the paperwork, the possible action steps required afterwards…

Audits are just a part of life if you’re in the medical device business. You can expect a FDA inspector and/or ISO auditor to turn up at some point. This is part of doing business in the medical device industry.

And very few companies look forward to ISO audits and FDA inspections. Most companies view these events as painful, time-consuming experiences that result in a lot of new issues to chase, track down, and address.

But what if ISO audits and FDA inspections were painless?

Is this possible?

Maybe. Okay, these events will always be a bit "noisy" to your business.

However, there is a way to make these external audits a little smoother.

How?

By making sure your internal auditing process is robust, thorough, and more difficult than ISO audits and FDA inspections. To say it another way, your internal audits should be the toughest audits you have.

By doing so, you’re likely to have an easier time with the FDA and ISO.

Think of it as an opportunity. The chance to determine whether there are any issues within your company that really need to be addressed. It’s better that you have the chance to find and rectify them before the FDA gets involved, right?

#1. Have a robust internal auditing process

We always advise that, if anything, your internal auditing process should be more thorough and stricter than a FDA inspection or ISO audit. The whole point is that you want to catch every possible issue first, avoiding the disruptions that external inspection / audit issues can bring.

Of course finding issues during internal audits will still require actions be taken in order to correct and prevent these from recurring. But doing so under your process according to your plans will only make your overall QMS better. Doing so via your internal auditing program is a wonderful way to monitor and measure the effectiveness of your QMS, procedures, processes, and so on.

The purpose of your internal audits should be to deliver some kind of value to your business. It’s your early warning system to keep you on the right path. Internal audits are intended to be a system of checks and balances to ensure:

Procedures are compliant with regulatory requirements

Your procedures are being followed, with supporting documentation and objective evidence to demonstrate

Identify issues and opportunities for improvement

Means to measure the suitability of your QMS

A key mistake that we see is when companies treat the internal audit like another procedural check mark - a task they must just “get through.”

If this is the approach taken at your company, then you’re looking at it the wrong way.

Let me share a quick example I've seen many times over the years.

A company has an internal audit process that requires all processes to be audited within a calendar year. As the end of the year approaches, the company realizes very few of their processes have been part of internal audits. But they have to do so before the end of the year, since this is required according to their internal audit process. So there is then a mad dash effort to complete all internal audits within the last few weeks of the year. In fact, I worked with a company a few years back that outsourced their internal audits to a consultant who conducted all internal audits for the company in the last two weeks of December while being remote and off-site the entire time.

Well the company got their checkmark for conducting all internal audits in the year. But the cascading results brought the company to its knees dealing with the internal audit after math in order to now address any issues found during the internal audits (I'm talking about the CAPAs that result from internal audits).

#2. Be strategic with audit scheduling and plans

For any internal auditing program, there should be an internal audit schedule. Like the story I shared above, often times this schedule may simply list "end of year" for all internal audits listed on the schedule.

Let me suggest an alternative approach.

List all the processes that require internal audits. Do all of these processes need to be audited annually? Or could some processes be audited every other year? Note, that neither ISO 13485 nor FDA QSR require all processes to be internally audited every year. Rather, the expectation is that internal audits be conducted at planned intervals.

Organize and group your processes according to similarities. For example, it may make sense to group design controls and risk management processes because of how these processes interact. Another example: Group management responsibilty and analysis of data.

Then break these groups up, schedule wise, across the entire year. I like the approach of having internal audits happening throughout the year. I like the approach of having internal audits scheduled by quarters.

This approach is helpful because:

You avoid the end of year rush

You always have internal auditing process active

A robust internal audit program will uncover issues that need to be addressed as part of CAPA investigations (see our article on CAPA here). And this might be the biggest benefit of spreading your internal auditing out over the entire year. Doing so will allow you to better manage your CAPA system too, rather than overburden and bog down the CAPA system by adding a whole bunch of new CAPAs at the end of the year.

While a strategic internal audit schedule is important, you also really need to have solid internal audit plans in place first.

Your internal audit plans should include checklists that takes you through the relevant standards, procedures, and requirements that will be expected of you (e.g. FDA, ISO etc.).

These internal audit plans are essential for the internal audit team, as well as those responsible for the processes being audited.

Tip: Have an objective person, one who is not responsible for the actual work, conduct the audit. This might even involve an external consultant. Auditors should not audit their own work and should be appropriately trained for auditing.

Your internal audit should be treated as a valuable opportunity for your company

#3. Define what falls under CAPA

First, be sure you have adequately defined your CAPA process. Sounds like a basic requirement, right? Yet, as we’ve looked at previously, “lack of adequate documentation” and “lack of adequate procedures” are key reasons for 483 observations from the FDA.

The various items that fall under CAPA should be integral parts of the procedures for your company. They are expected to be in place with a formal Quality Management System and the FDA and ISO auditors will look for these. In fact, I gurantee that every FDA inspection and ISO audit will assess and review your entire CAPA system.

What is the relationship between internal audits and CAPA? Internal audits are a key source of CAPA investigations. It is expected that you use CAPA to address major, systemic issues--including those found during your internal auditing activities.

Tip: You are not required to show a FDA inspector the actual internal audit reports. You do need to demonstrate that you are conducting internal audits, however. This is why that internal audit schedule is important as well as demonstrating that there are CAPAs that result from internal audits. Note that an ISO auditor can (and will) review actual internal audit reports.

#4. Have a system to track CAPAs

All critical CAPA activities that result from investigations should be tracked in a centralized system, easily accessible to those who need it. This also acts as your “proof” for the FDA that yes, you do take appropriate CAPA measures when needed.

One of the critical issues we often see in medical device companies is that CAPA can get out of hand. Companies might assume that virtually everything needs to fall under CAPA, when in fact there are plenty of things that can be handled with your change management system and wouldn’t be considered part of CAPA. Companies overburden themselves with CAPA and find that they miss the real issues.

On the opposite side of that are those who under-use CAPA, perhaps missing out key areas for “preventive action.” Dealing only with known problems, or "corrective actions", is very reactionary. You should also consider being more proactive in identifying potential issues before they happen. This is the essence of preventive action side of CAPA.

The bottom line is that you need a clear definition of what types of issues will fall under CAPA, based on the seven areas outlined in FDA 21 CFR 820.10 or ISO 13485:2016.

#5. Define the problem and its scope

So, now we’re at the stage where something has turned up in your internal audit and it falls within the realms of CAPA. The first thing you need is a very clear definition of what the problem actually is.

We often use “should be” and “is” statements for this. For example, “The part should be made of steel. The part is made of aluminium.”

As for scope, how great is the problem? Were all parts made of aluminium or just the last batch received? Does the problem only seem to happen on certain days? Has any product with the fault been released to the market? You should ensure that the depth and intensity of investigations match the severity of the problem.

#6. Take containment action

Once a problem has been identified, the next thing to do is contain it so that you prevent it from escalating or recurring while you look for the root cause. For example, you might need to remove faulty parts from the warehouse, contact the manufacturer of the parts, or even halt production. You may also need to put checks in place to ensure that, should the problem be inclined to occur again, it is caught before it becomes an issue again.

#7. Explore the root causes

Whenever we face a problem within medical devices or within the development process of them, we look to the root cause analysis to determine well, the root cause! The idea is that you need to know what underlying issue/s lead to the problem so that you can fix or mitigate them.

An article for MDDI talks about root cause analysis in CAPA with reference to the book Apollo Root Cause Analysis;

“...there are always at least two causes of any problem. There is always a preexisting condition and an action (or catalyst) that when combined result in a problem. Therefore, employees should always look for at least two causes of any problem. Causes often extend beyond the area or function where they are detected, so for major problems, assemble a cross-functional team to perform the root-cause analysis.”

There are a few different methodologies for completing root cause analysis - you can check out more information on it in an article for the Quality Management Forum here.

#8. Plan and implement CAPA

Once the root cause has been identified, you need to plan for the corrective or preventative action that needs to be taken to deal with the issue. You must figure out what steps need to be taken and what resources do you need. Also, consider if you require approval for extra funds.

Remember, all of this must be documented and readily retrievable should it be required. Once you’ve got your plan, the next part is implementing it - following through to take the necessary steps to resolve the issue.

#9. Follow up

“(4) Verifying or validating the corrective and preventive action to ensure that such action is effective and does not adversely affect the finished device.”

You need to have a clear, documented method of follow up and testing to ensure that your CAPA actions were effective. This may mean that you need to wait a period of time to ensure that the problem doesn’t recur. Don’t be tempted to close out your investigation too early; timeliness is less of a factor to auditors than being able to prove that you really did solve the problem successfully.

Final Thoughts

Your internal auditing process should be treated as a vital exercise to ensure that your company stays on the right track. Rather than a checkbox item, treat it as a valued input from which your company wants to be able to learn something.

CAPA is a key part of your Quality System that is expected by regulatory bodies. Make sure you have a clear process and that it is documented and accessible.

You should understand the relationship between CAPA and internal auditing. Issues identified during internal audits should be condisered for a more thorough CAPA investigation in order to correct and prevent these issues from recurring.

Better that you find those things early and take care of them than have external audit observation from the FDA and ISO later.

Want more free medical device resources?

Get in-depth weekly articles, right in your inbox.

Jon is the founder and VP of QA/RA at Greenlight Guru (quality management software exclusively for medical device companies) & a medical device guru with nearly 20 years industry experience. Jon knows the best medical device companies in the world use quality as an accelerator. That's why he created Greenlight Guru to help companies move beyond compliance to True Quality.